It’s a concept that’s been discussed within IT security circles for a number of years, however many people remain unsure of exactly what is meant by eXtended Detection and Response (XDR).
First defined by analyst firm Gartner back in 2020, XDR addresses the growing requirement for new levels of security telemetry aggregation. This additional correlation and analysis is needed to protect what has become an increasingly diversified attack surface and guard against security threats that are becoming more complex to detect.
When an organisation integrates XDR capabilities into its IT infrastructure it allows its security team to better analyse events from diverse sources. XDR allows knowledge to be shared from a single security platform for fast, automated responses that reduce an IT security team’s workload while improving its efficiency.
Putting XDR to work
In essence, an XDR strategy helps to boost IT security by combining different technologies that generate more accurate detections than when they operate separately. XDR collects and displays cross-product detections for computers, servers, and firewalls in a unified way, thus providing security professionals with the context of threat detections and enabling them to respond to and stop advanced threats more quickly than would otherwise be possible.
By incorporating all data into a single management console, XDR also eliminates the need for security teams to learn how to use multiple management systems. As a result, it becomes possible to detect threats on both protected and unprotected devices by using cross-domain data to thwart advanced threats.
In addition, the use of cross-domain and event correlation means activities can be monitored for different security products. This enables the categorisation and detection of malicious scenarios that may seem harmless on their own but, when combined, can become indicators of compromise.
The response automation and scheduling offered by XDR can also free security teams from repetitive or manual tasks by allowing them to instead act on detections that match previously defined criteria. This can ensure resources are used most effectively and provide the best possible level of cyber protection.
The benefits of XDR for MSPs
Managed Service Providers (MSPs) can achieve significant advantages when making use of XDR to protect the IT infrastructures of their clients.
For example, correlating between network security and endpoints can significantly increase the chances that advanced persistent threat (APT) attacks can be identified and neutralised.
Unknown files that are downloaded by users can also be automatically sent to a sandbox for analysis. If a file is found to be malicious, the XDR can correlate this fact with an endpoint to immediately remove it from the device.
Also, XDR can help an MSP to identify processes running on a computer that may not be harmful, but are able to make malicious connections via elements such as browsers or email clients. XDR capabilities can take data from blocked connections on a firewall and link it to individual applications on the endpoint, thus enabling users to detect new malicious application.
How MSPs can offer additional protection for clients
As well these clear benefits, there are other ways in which MSPs are able to take advantage of the capabilities of XDR and add additional value for their clients. These include:
- Increased unified threat visibility:
XDR enables increased accuracy and accelerates detection by unifying threat data into a single management interface. Collecting and visualising detections from a range of products makes MSPs more agile and enables them to gain context around the detections they need to respond to and stop advanced threats more quickly. - Lowering the average mean time to detect (MTTD):
Research data from IBM[1] reveals that, during 2022, it took companies an average of 207 days to identify a security incident. At the same time, however, those with XDR technologies gained considerable advantages in identification and response times. Organisations that deployed XDR shortened the incident lifecycle by approximately one month. - Enabling improved unified threat response orchestration:
XDR also allows MSPs to be more efficient in their operations by offering a wider range of response actions. This, in turn, enables them to schedule and automate threat response across a client’s entire network from a single console. For any company, being able to reduce detection times and show agility in response actions can make the difference between responding in time to a threat or the attack spreading and taking control of critical systems. - Reducing the need for complex configuration:
Experience shows that some XDR solutions require advanced knowledge for effective installation and configuration. MSPs can work with their clients to streamline this process and ensure the new capabilities are in place and operational as quickly as possible.
It’s clear that XDR has a lot to offer both MSPs and their clients. By fully understanding how the technology functions and the benefits it can deliver, both groups will be able enjoy the significant benefits of improved IT security.
[1] chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/https://www.ibm.com/downloads/cas/3R8N1DZJ